US20080222716A1 - COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM - Google Patents

COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM Download PDF

Info

Publication number
US20080222716A1
US20080222716A1 US12/042,752 US4275208A US2008222716A1 US 20080222716 A1 US20080222716 A1 US 20080222716A1 US 4275208 A US4275208 A US 4275208A US 2008222716 A1 US2008222716 A1 US 2008222716A1
Authority
US
United States
Prior art keywords
line
connection destination
destination device
ipsec
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/042,752
Inventor
Yasunori Momoi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Assigned to NEC CORPORATION reassignment NEC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MOMOI, YASUNORI
Publication of US20080222716A1 publication Critical patent/US20080222716A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability
    • H04L43/0811Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability by checking connectivity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/28Routing or path finding of packets in data switching networks using route fault recovery

Definitions

  • the present invention relates to a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method used for them and its program, and more particularly to a method for continuing IPsec tunnel communication when a line failure occurs in an IPsec (Internet Protocol security protocol) tunnel termination device.
  • IPsec Internet Protocol security protocol
  • FIG. 7 is a diagram illustrating the configuration of a typical conventional communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device.
  • IPsec tunnels 91 and 92 are provided redundantly to support line redundancy as shown in FIG. 7 .
  • the connection destination device 6 comprises a line (A) 61 , a line (B) 62 , an SAD (Security Association Database)-A 63 and an SAD-B 64 in which IPsec connection (Security Association) information is stored, a switch unit 65 , and a control unit 66 .
  • the connection source device 8 comprises an SAD-a 81 and an SAD-b 82 .
  • connection destination device 6 address A and address B are assigned, respectively, to the line (A) 61 and line (B) 62 . So, the connection source device 8 establishes, communicates via, or disconnects the IPsec tunnel 91 and 92 using address A of the line (A) 61 and address B of the line (B) 62 as the address of the connection destination device 6 (for example, see Patent Document 1).
  • connection source device 8 when line redundancy is supported, the connection source device 8 must set up IPsec tunnels, one for each redundant lines, because an address is assigned to each line.
  • connection source device 8 and the connection destination device 6 must have SADs (SAD-A 63 and SAD-B 64 in connection destination device 6 , and SAD-a 81 and SAD-b 82 in connection source device 8 ), one for each IPsec tunnel.
  • a still another problem with the conventional communication system is that the switch unit 65 and the control unit 66 must be installed in the connection destination device 6 to select an IPsec tunnel to be used and to control the selected IPsec tunnel. This problem applies also to the connection source device 8 .
  • a still another problem with the conventional communication system is that, because the IPsec tunnels are switched when a line failure occurs in the connection destination device 6 , the SADs in the connection source device 8 and the connection destination device 6 (SAD-A 63 and SAD-a 81 , SAD-B 64 and SAD-b 82 ) must also be switched (exchanged). This means that the connection source device 8 and the connection destination device 6 must synchronize with each other in switching the SADs.
  • connection source address When communication is performed with an IPsec tunnel established, there is a one to one correspondence between the connection source address and the connection destination address.
  • connection destination addresses When line redundancy is supported for increasing the reliability of a connection destination device, two or more connection destination addresses, one for each redundant line, are required. This means that there is a one to N correspondence between the connection source address and the connection destination address.
  • addresses are required for the connection destination lines, one for each, and the IPsec tunnels must also be provided redundantly.
  • both the connection source device and the connection destination device must have SADs (redundantly), one for each connection destination line.
  • connection source device and the connection destination device must be switched (exchanged) and, so, the connection source device and the connection destination device must synchronize with each other in switching the SADs.
  • an object of the present invention is to provide a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method for them and its program, for allowing a connection source device to establish, communicate, or disconnect an IPsec tunnel to a connection destination device with no concern about a line used by the connection destination device or about the line redundancy.
  • a communication system is a communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein
  • IPsec Internet Protocol security protocol
  • connection destination device comprises:
  • virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of the connection destination device; and wherein the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • An IPsec tunnel termination device is an IPsec termination device that terminates an IPsec tunnel, comprising:
  • virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address wherein the address of the IPsec termination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • An IPsec tunnel communication continuation method is an IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device wherein
  • connection destination device notifies to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device and
  • the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • a program according to the present invention is a program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, the program including the process of:
  • redundant IPsec Internet Protocol security protocol
  • redundant lines are provided in the connection destination device. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the occurrence of the line failure, can be used continuously.
  • the address of the connection destination device is assigned, not directly to a physical line such as line A, but to the virtual line unit so that it appears to an external device that the address is assigned to the activated line.
  • This eliminates the need for setting multiple connection destination addresses and for creating multiple IPsec tunnels between the connection source device and the connection destination device, one for each redundant line.
  • the communication system of the present invention eliminates the need for both the connection source device and the connection destination device to have SADs (Security Association Databases).
  • the active line of the connection destination device is switched to another line when a line failure occurs in the connection destination device. So, the IPsec tunnel established before the error can be used continuously.
  • the address of the termination device is assigned, not directly to the lines, but to the virtual line unit as described above, so that it appears to an external device that the address of the termination device is assigned to the active line. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the line failure, can be used continuously.
  • the connection destination device that terminates the IPsec tunnel assigns the address X of the connection destination device to the virtual line unit in response to an instruction from the control unit.
  • the address X is an address assigned to a physical line such as line A.
  • the virtual line unit In response to an instruction from the control unit, the virtual line unit specifies line A as an active line to be used for communication. To make it appear to an external device that the address X is assigned to line A, the virtual line unit notifies a preceding-stage device that line A has the address X, and the setting of the address X of the connection destination device is completed.
  • the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line A that has the address X of the connection destination device.
  • the control unit requests the virtual line unit to switch the active line from line A to line B and, in response, the virtual line unit sets line B as an active line to be used for communication.
  • the virtual line unit notifies the preceding-stage device that line B has the address X. Thereafter, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line B that has the address X of the connection destination device.
  • connection source device If it appears to the connection source device that the address X of the connection destination device is assigned to one of line A and line B of the connection destination device, the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device.
  • the communication system of the present invention assigns the address of the connection destination device, not directly to a physical line such as line A, but to the virtual line unit. In this way, the communication system implements line redundancy by making it appear to an external device that the address is assigned to an active line.
  • connection source device can establish or disconnect the IPsec tunnel or can continue the communication where the IPsec tunnel, established before the line failure was generated, is used.
  • the present invention which has the configuration described above and performs the operation as described above, achieves an effect that the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device with no concern for the line used in the connection destination device or for line redundancy.
  • FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention.
  • FIG. 2 is a diagram showing the operation of a connection destination device in one example of the present invention.
  • FIG. 3 is a diagram showing the operation of the connection destination device in one example of the present invention.
  • FIG. 4 is a flowchart showing the active line setting operation of the connection destination device in one example of the present invention.
  • FIG. 5 is a flowchart showing the active line setting switching operation performed by the connection destination device when a line failure occurs in one example of the present invention.
  • FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention.
  • FIG. 7 is a block diagram showing the configuration of a communication system of a related art.
  • FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention.
  • the communication system in one example of the present invention comprises a connection destination device 1 , a preceding-stage device 2 , and a connection source device 3 .
  • the connection destination device 1 comprises a line (A) 11 , a line (B) 12 , a virtual line unit 13 , a SAD (Security Association Database) 14 in which IPsec connection (Security Association) information is stored, and a control unit 15 .
  • the line (A) 11 and the line (B) 12 are physical lines, the addresses are not assigned directly to those lines in the connection destination device 1 .
  • the address of the connection destination device 1 is assigned to the virtual line unit 13 .
  • the virtual line unit 13 has an interface (I/F) not only with the line (A) 11 , line (B) 12 , and control unit 15 , but also with the SAD 14 .
  • the virtual line unit 13 specifies the physical line (A) 11 or physical line (B) 12 as an active line that will be used for communication.
  • the virtual line unit 13 has the function to notify the preceding-stage device 2 that the line (A) 11 or the line (B) 12 has the address X.
  • the SAD 14 a Security Association Database for the IPsec (Internet Protocol security protocol), identifies an address, assigned to the virtual line unit 13 , as the connection destination device address.
  • IPsec Internet Protocol security protocol
  • the control unit 15 has the function to assign an address to the virtual line unit 13 and to specify which line, line (A) or line (B) 12 , the virtual line unit 13 is to activate.
  • FIG. 2 and FIG. 3 are diagrams showing the operation of the connection destination device 1 in one example of the present invention.
  • FIG. 2 shows the operation in which the line (A) 11 is set as an active line
  • FIG. 3 shows the operation in which the active line is switched from the line (A) 11 to the line (B) 12 .
  • the following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 3 .
  • the control unit 15 assigns a connection destination device address to the virtual line unit 13 .
  • the virtual line unit 13 sets the line (A) 11 as an active line that will be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line (A) 11 , notifies the preceding-stage device 2 that the line (A) 11 is the connection destination device address. Thereafter, the line (A) 11 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1 .
  • control unit 15 executes a switching request to the virtual line unit 13 to switch the active line from the line (A) 11 to the line (B) 12 .
  • the virtual line unit 13 sets the line (B) 12 as an active line. To make it appear to an external device that the connection destination device address is assigned to the line (B) 12 , the virtual line unit 13 notifies the preceding-stage device 2 that the line (B) 12 is the connection destination device address. Thereafter, the line (B) 12 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1 .
  • FIG. 4 is a flowchart showing the active line setting operation of the connection destination device 1 in one example of the present invention
  • FIG. 5 is a flowchart showing the active line setting switching operation of the connection destination device 1 in one example of the present invention when a line failure occurs.
  • the following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 5 .
  • the processing shown in FIG. 4 and FIG. 5 is implemented when the CPU (central processing unit) (not shown), one of the components of the control unit 15 , executes a computer-executable program.
  • connection destination device 1 the following describes the active line setting of the connection destination device 1 with reference to FIG. 2 and FIG. 4 .
  • the control unit 15 confirms the line status of the line (A) 11 (step S 1 in FIG. 4 ) and determines if the line (A) 11 can be made effective (step S 2 in FIG. 4 ). If it is confirmed that the line (A) 11 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (A) 11 as an active line (step S 3 in FIG. 4 ).
  • the control unit 15 confirms the line status of the line (B) 12 (step S 4 in FIG. 4 ) and determines if the line (B) 12 can be made effective (step S 5 in FIG. 4 ). If it is confirmed that the line (B) 12 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (B) 12 as an active line (step S 6 in FIG. 4 ). After the line selection is finished, the control unit 15 instructs the virtual line unit 13 to notify an external device about the active line (step S 7 in FIG. 4 ), and completes the setting.
  • control unit 15 determines that the lines cannot be set (step S 8 in FIG. 4 ) and completes the active line setting operation.
  • control unit 15 confirms on which line the failure has occurred (step S 11 in FIG. 5 ). If it is determined that the line failure has occurred in the active line side (step S 12 in FIG. 15 ), the control unit 15 deactivates the active side line (line (A) 11 in this example) (step S 13 in FIG. 5 ) and activates the non-failure line (line (B) 12 in this example) (step S 14 in FIG. 5 ).
  • control unit 15 instructs the virtual line unit 13 to notify the external device that the non-failure line is activated (step S 15 in FIG. 5 ) and completes the switching operation of active line setting that is performed when a line failure occurs.
  • control unit 15 determines that the failure was on the non-active line (step S 16 in FIG. 5 ) and completes the switching operation of the active line setting that is performed when a line failure occurs.
  • connection destination device 1 only one address is used for the connection destination device 1 in this example, and the line redundancy function can be provided without using redundant the IPsec tunnels from the connection source device 3 to the connection destination device 1 .
  • connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13 .
  • This configuration allows the connection source device 3 to establish, communicate, or disconnect an IPsec tunnel to the connection destination device 1 with no concern about the line used by the connection destination device 1 or about the line redundancy.
  • connection destination device 1 the address of the connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13 .
  • This configuration eliminates the need for creating IPsec tunnels and the SADs, one for each redundant lines, between the connection source device and the connection destination device, thus increasing efficiency.
  • the IPsec tunnel established before the generation of the error can be used continuously.
  • FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention.
  • the basic configuration of another example of the present invention shown in FIG. 6 is the same as that of one example of the present invention described above except further modifications to the configuration of a connection destination device 4 . That is, the connection destination device 4 comprises line (A) 41 - 1 , line (B) 41 - 2 , . . . , line (N) 41 -N, a virtual line unit 42 , and a control unit 43 , and an externally installed SAD 5 is connected to the virtual line unit 13 .
  • the SAD 5 which can be installed outside the connection destination device 4 as shown in FIG. 6 , communicates with the connection destination device 4 via a general-purpose communication method such as TCP/IP (Transmission Control Protocol/Internet Protocol). This configuration minimizes the effect on the SAD 5 even when the connection destination device 4 fails.
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • the physical lines are not limited to two, line (A) 41 - 1 and line (B) 41 - 2 , but one or more lines (N) 41 -N are installed to increase the number of physical lines to N.
  • This configuration also performs the same operation, and achieves the same effect, as that of one example of the present invention.
  • connection destination device 4 the lines may also be installed redundantly in a connection source device 3 .

Abstract

A control unit of a connection destination device assigns a connection destination device address to a virtual line unit. In response to an instruction from the control unit, the virtual line unit sets a line as an active line to be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line, notifies a preceding-stage device that the line has the connection destination device address. Thereafter, the line is used to establish, communicate, or disconnect an IPsec tunnel from a connection source device to the connection destination device.

Description

    REFERENCE TO RELATED APPLICATION
  • This application is based upon and claims the benefit of the priority of Japanese patent application No. 2007-056502, filed on Mar. 7, 2007, the disclosure of which is incorporated herein in its entirety by reference thereto.
    • FIELD OF THE INVENTION
  • The present invention relates to a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method used for them and its program, and more particularly to a method for continuing IPsec tunnel communication when a line failure occurs in an IPsec (Internet Protocol security protocol) tunnel termination device.
    • BACKGROUND OF THE INVENTION
  • FIG. 7 is a diagram illustrating the configuration of a typical conventional communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device. Conventionally, in the communication system in which communication is performed using IPsec tunnels and in which there are provided a connection destination device 6, a preceding-stage device 7, and a connection source device 8, IPsec tunnels 91 and 92 are provided redundantly to support line redundancy as shown in FIG. 7.
  • In FIG. 7, the connection destination device 6 comprises a line (A) 61, a line (B) 62, an SAD (Security Association Database)-A 63 and an SAD-B 64 in which IPsec connection (Security Association) information is stored, a switch unit 65, and a control unit 66. The connection source device 8 comprises an SAD-a 81 and an SAD-b 82.
  • In the connection destination device 6, address A and address B are assigned, respectively, to the line (A) 61 and line (B) 62. So, the connection source device 8 establishes, communicates via, or disconnects the IPsec tunnel 91 and 92 using address A of the line (A) 61 and address B of the line (B) 62 as the address of the connection destination device 6 (for example, see Patent Document 1).
    • [Patent Document 1]
  • Japanese Patent Kokai Publication No. JP-P2005-341084A
    • SUMMARY OF THE DISCLOSURE
  • The entire disclosures of the above mentioned patent document are incorporated herein by reference thereto.
  • One of the problems with the conventional communication system described above is that, when line redundancy is supported, the connection source device 8 must set up IPsec tunnels, one for each redundant lines, because an address is assigned to each line.
  • Another problem with the conventional communication system is that, because IPsec tunnels are redundantly provided, both the connection source device 8 and the connection destination device 6 must have SADs (SAD-A 63 and SAD-B 64 in connection destination device 6, and SAD-a 81 and SAD-b 82 in connection source device 8), one for each IPsec tunnel.
  • A still another problem with the conventional communication system is that the switch unit 65 and the control unit 66 must be installed in the connection destination device 6 to select an IPsec tunnel to be used and to control the selected IPsec tunnel. This problem applies also to the connection source device 8.
  • A still another problem with the conventional communication system is that, because the IPsec tunnels are switched when a line failure occurs in the connection destination device 6, the SADs in the connection source device 8 and the connection destination device 6 (SAD-A 63 and SAD-a 81, SAD-B 64 and SAD-b 82) must also be switched (exchanged). This means that the connection source device 8 and the connection destination device 6 must synchronize with each other in switching the SADs.
  • When communication is performed with an IPsec tunnel established, there is a one to one correspondence between the connection source address and the connection destination address. When line redundancy is supported for increasing the reliability of a connection destination device, two or more connection destination addresses, one for each redundant line, are required. This means that there is a one to N correspondence between the connection source address and the connection destination address. As more and more connection destination lines with the redundant configuration are used, addresses are required for the connection destination lines, one for each, and the IPsec tunnels must also be provided redundantly.
  • In addition, because the communication described above requires an IPsec tunnel for each redundant line, both the connection source device and the connection destination device must have SADs (redundantly), one for each connection destination line.
  • Furthermore, because the IPsec tunnels are switched when a line failure occurs in the connection destination device, the SADs in the connection source device and the connection destination device must be switched (exchanged) and, so, the connection source device and the connection destination device must synchronize with each other in switching the SADs.
  • It is an object of the present invention to solve the problems described above. More specifically, an object of the present invention is to provide a communication system and an IPsec tunnel termination device, as well as an IPsec tunnel communication continuation method for them and its program, for allowing a connection source device to establish, communicate, or disconnect an IPsec tunnel to a connection destination device with no concern about a line used by the connection destination device or about the line redundancy.
  • A communication system according to the present invention is a communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein
  • the connection destination device comprises:
  • a plurality of physical lines; and
  • virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of the connection destination device; and wherein the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • An IPsec tunnel termination device according to the present invention is an IPsec termination device that terminates an IPsec tunnel, comprising:
  • a plurality of physical lines; and virtual line means that specifies one of the plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address wherein the address of the IPsec termination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • An IPsec tunnel communication continuation method according to the present invention is an IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device wherein
  • the connection destination device notifies to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device and
  • the address of the connection destination device is assigned to the virtual line means to make it appear to the external device that the address is assigned to the active line.
  • A program according to the present invention is a program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, the program including the process of:
  • notifying to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of the connection destination device.
  • That is, in the communication system of the present invention, redundant IPsec (Internet Protocol security protocol) tunnels are not made redundant but redundant lines are provided in the connection destination device. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the occurrence of the line failure, can be used continuously.
  • In the communication system of the present invention, the address of the connection destination device is assigned, not directly to a physical line such as line A, but to the virtual line unit so that it appears to an external device that the address is assigned to the activated line. This eliminates the need for setting multiple connection destination addresses and for creating multiple IPsec tunnels between the connection source device and the connection destination device, one for each redundant line. In addition, the communication system of the present invention eliminates the need for both the connection source device and the connection destination device to have SADs (Security Association Databases).
  • In the communication system of the present invention, the active line of the connection destination device is switched to another line when a line failure occurs in the connection destination device. So, the IPsec tunnel established before the error can be used continuously.
  • In the communication system of the present invention, when the redundant lines (master/slave) are used in the termination device where IPsec encryption/decryption processing is performed, the address of the termination device is assigned, not directly to the lines, but to the virtual line unit as described above, so that it appears to an external device that the address of the termination device is assigned to the active line. So, even when a line failure occurs, the IPsec tunnel can be established or disconnected or an IPsec tunnel, established before the line failure, can be used continuously.
  • More specifically, in the communication system of the present invention, the connection destination device that terminates the IPsec tunnel assigns the address X of the connection destination device to the virtual line unit in response to an instruction from the control unit. In the conventional method, the address X is an address assigned to a physical line such as line A.
  • In response to an instruction from the control unit, the virtual line unit specifies line A as an active line to be used for communication. To make it appear to an external device that the address X is assigned to line A, the virtual line unit notifies a preceding-stage device that line A has the address X, and the setting of the address X of the connection destination device is completed.
  • In this case, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line A that has the address X of the connection destination device. However, when an error is generated on line A, the control unit requests the virtual line unit to switch the active line from line A to line B and, in response, the virtual line unit sets line B as an active line to be used for communication.
  • In addition, to make it appear to an external device that the address X is assigned to line B, the virtual line unit notifies the preceding-stage device that line B has the address X. Thereafter, the establishment, communication, or disconnection of the IPsec tunnel from the connection source device to the connection destination device is performed using line B that has the address X of the connection destination device.
  • If it appears to the connection source device that the address X of the connection destination device is assigned to one of line A and line B of the connection destination device, the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device.
  • As described above, the communication system of the present invention assigns the address of the connection destination device, not directly to a physical line such as line A, but to the virtual line unit. In this way, the communication system implements line redundancy by making it appear to an external device that the address is assigned to an active line.
  • In addition, even when a line failure occurs in the connection destination device, the connection source device can establish or disconnect the IPsec tunnel or can continue the communication where the IPsec tunnel, established before the line failure was generated, is used.
  • The meritorious effects of the present invention are summarized as follows.
  • The present invention, which has the configuration described above and performs the operation as described above, achieves an effect that the connection source device can establish, communicate, or disconnect the IPsec tunnel to the connection destination device with no concern for the line used in the connection destination device or for line redundancy.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention.
  • FIG. 2 is a diagram showing the operation of a connection destination device in one example of the present invention.
  • FIG. 3 is a diagram showing the operation of the connection destination device in one example of the present invention.
  • FIG. 4 is a flowchart showing the active line setting operation of the connection destination device in one example of the present invention.
  • FIG. 5 is a flowchart showing the active line setting switching operation performed by the connection destination device when a line failure occurs in one example of the present invention.
  • FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention.
  • FIG. 7 is a block diagram showing the configuration of a communication system of a related art.
    •  PREFERRED MODES OF THE INVENTION
  • Embodiments of the present invention will be described more in detail with reference to the drawings.
    • FIRST EXAMPLE
  • FIG. 1 is a block diagram showing the configuration of a communication system in one example of the present invention. Referring to FIG. 1, the communication system in one example of the present invention comprises a connection destination device 1, a preceding-stage device 2, and a connection source device 3.
  • The connection destination device 1 comprises a line (A) 11, a line (B) 12, a virtual line unit 13, a SAD (Security Association Database) 14 in which IPsec connection (Security Association) information is stored, and a control unit 15. Although the line (A) 11 and the line (B) 12 are physical lines, the addresses are not assigned directly to those lines in the connection destination device 1. The address of the connection destination device 1 is assigned to the virtual line unit 13.
  • The virtual line unit 13 has an interface (I/F) not only with the line (A) 11, line (B) 12, and control unit 15, but also with the SAD 14. In response to an instruction from the control unit 15, the virtual line unit 13 specifies the physical line (A) 11 or physical line (B) 12 as an active line that will be used for communication. In addition, to make it appear to an external device that the address X is assigned to the line (A) 11 or the line (B) 12, the virtual line unit 13 has the function to notify the preceding-stage device 2 that the line (A) 11 or the line (B) 12 has the address X.
  • The SAD 14, a Security Association Database for the IPsec (Internet Protocol security protocol), identifies an address, assigned to the virtual line unit 13, as the connection destination device address.
  • The control unit 15 has the function to assign an address to the virtual line unit 13 and to specify which line, line (A) or line (B) 12, the virtual line unit 13 is to activate.
  • FIG. 2 and FIG. 3 are diagrams showing the operation of the connection destination device 1 in one example of the present invention. FIG. 2 shows the operation in which the line (A) 11 is set as an active line, and FIG. 3 shows the operation in which the active line is switched from the line (A) 11 to the line (B) 12. The following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 3.
  • The control unit 15 assigns a connection destination device address to the virtual line unit 13. In response to the instruction from the control unit 15, the virtual line unit 13 sets the line (A) 11 as an active line that will be used for communication and, to make it appear to an external device that the connection destination device address is assigned to the line (A) 11, notifies the preceding-stage device 2 that the line (A) 11 is the connection destination device address. Thereafter, the line (A) 11 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1.
  • On the other hand, when a failure is detected on the line (A) 11, the control unit 15 executes a switching request to the virtual line unit 13 to switch the active line from the line (A) 11 to the line (B) 12.
  • In response to the switching request from the control unit 15, the virtual line unit 13 sets the line (B) 12 as an active line. To make it appear to an external device that the connection destination device address is assigned to the line (B) 12, the virtual line unit 13 notifies the preceding-stage device 2 that the line (B) 12 is the connection destination device address. Thereafter, the line (B) 12 is used to establish, communicate, and disconnect an IPsec tunnel 16 from the connection source device 3 to the connection destination device 1.
  • FIG. 4 is a flowchart showing the active line setting operation of the connection destination device 1 in one example of the present invention, and FIG. 5 is a flowchart showing the active line setting switching operation of the connection destination device 1 in one example of the present invention when a line failure occurs. The following describes the operation of the connection destination device 1 in one example of the present invention with reference to FIG. 1 to FIG. 5. The processing shown in FIG. 4 and FIG. 5 is implemented when the CPU (central processing unit) (not shown), one of the components of the control unit 15, executes a computer-executable program.
  • First, the following describes the active line setting of the connection destination device 1 with reference to FIG. 2 and FIG. 4.
  • When the active line setting operation is started, the control unit 15 confirms the line status of the line (A) 11 (step S1 in FIG. 4) and determines if the line (A) 11 can be made effective (step S2 in FIG. 4). If it is confirmed that the line (A) 11 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (A) 11 as an active line (step S3 in FIG. 4).
  • If the line (A) 11 is not effective, the control unit 15 confirms the line status of the line (B) 12 (step S4 in FIG. 4) and determines if the line (B) 12 can be made effective (step S5 in FIG. 4). If it is confirmed that the line (B) 12 is effective, the control unit 15 instructs the virtual line unit 13 to set the line (B) 12 as an active line (step S6 in FIG. 4). After the line selection is finished, the control unit 15 instructs the virtual line unit 13 to notify an external device about the active line (step S7 in FIG. 4), and completes the setting.
  • If it is determined that neither the line (A) 11 nor the line (B) 12 is effective, the control unit 15 determines that the lines cannot be set (step S8 in FIG. 4) and completes the active line setting operation.
  • Next, with reference to FIG. 3 and FIG. 5, the following describes the switching operation of active line setting by the connection destination device 1 when a line failure occurs.
  • If a notification of the occurrence of a line failure is received, the control unit 15 confirms on which line the failure has occurred (step S11 in FIG. 5). If it is determined that the line failure has occurred in the active line side (step S12 in FIG. 15), the control unit 15 deactivates the active side line (line (A) 11 in this example) (step S13 in FIG. 5) and activates the non-failure line (line (B) 12 in this example) (step S14 in FIG. 5).
  • After that, the control unit 15 instructs the virtual line unit 13 to notify the external device that the non-failure line is activated (step S15 in FIG. 5) and completes the switching operation of active line setting that is performed when a line failure occurs.
  • If the active line was not subjected to a failure, the control unit 15 determines that the failure was on the non-active line (step S16 in FIG. 5) and completes the switching operation of the active line setting that is performed when a line failure occurs.
  • As described above, only one address is used for the connection destination device 1 in this example, and the line redundancy function can be provided without using redundant the IPsec tunnels from the connection source device 3 to the connection destination device 1.
  • In this example, the address of the connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13. This configuration allows the connection source device 3 to establish, communicate, or disconnect an IPsec tunnel to the connection destination device 1 with no concern about the line used by the connection destination device 1 or about the line redundancy.
  • In this example, the address of the connection destination device 1 is assigned, not directly to the physical lines, but to the virtual line unit 13. This configuration eliminates the need for creating IPsec tunnels and the SADs, one for each redundant lines, between the connection source device and the connection destination device, thus increasing efficiency.
  • In this example, because the active line of the connection destination device 1 is switched when a line failure occurs in the connection destination device 1, the IPsec tunnel established before the generation of the error can be used continuously.
    • SECOND EXAMPLE
  • FIG. 6 is a block diagram showing the configuration of a connection destination device in another example of the present invention. The basic configuration of another example of the present invention shown in FIG. 6 is the same as that of one example of the present invention described above except further modifications to the configuration of a connection destination device 4. That is, the connection destination device 4 comprises line (A) 41-1, line (B) 41-2, . . . , line (N) 41-N, a virtual line unit 42, and a control unit 43, and an externally installed SAD 5 is connected to the virtual line unit 13.
  • The SAD 5, which can be installed outside the connection destination device 4 as shown in FIG. 6, communicates with the connection destination device 4 via a general-purpose communication method such as TCP/IP (Transmission Control Protocol/Internet Protocol). This configuration minimizes the effect on the SAD 5 even when the connection destination device 4 fails.
  • In this example, the physical lines are not limited to two, line (A) 41-1 and line (B) 41-2, but one or more lines (N) 41-N are installed to increase the number of physical lines to N. This configuration also performs the same operation, and achieves the same effect, as that of one example of the present invention.
  • In addition, though installed redundantly in the connection destination device 4 in this example, the lines may also be installed redundantly in a connection source device 3.
  • It should be noted that other objects, features and aspects of the present invention will become apparent in the entire disclosure and that modifications may be done without departing the gist and scope of the present invention as disclosed herein and claimed as appended herewith.
  • Also it should be noted that any combination of the disclosed and/or claimed elements, matters and/or items may fall under the modifications aforementioned.

Claims (13)

1. A communication system in which an IPsec (Internet Protocol security protocol) tunnel to a connection source device is terminated at a connection destination device, wherein said connection destination device comprises:
a plurality of physical lines; and
virtual line means that specifies one of said plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address of said connection destination device;
the address of said connection destination device being assigned to said virtual line means to make it appear to said external device that the address is assigned to the active line.
2. The communication system according to claim 1, wherein said virtual line means switches the active line to another physical line when a line failure occurs in said connection destination device.
3. The communication system according to claim 1, wherein said connection destination device further comprises an SAD(Security Association Database) which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored.
4. The communication system according to claim 1, wherein an SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said connection destination device.
5. An IPsec termination device that terminates an IPsec tunnel, comprising:
a plurality of physical lines; and
virtual line means that specifies one of said plurality of physical lines as an active line to be used for communication and that notifies an external device that the specified physical line is of a pre-assigned address; wherein
the address of said IPsec termination device is assigned to said virtual line means to make it appear to said external device that the address is assigned to the active line.
6. The IPsec termination device according to claim 5, wherein said virtual line means switches the active line to another physical line when a line failure occurs in said connection destination device.
7. The IPsec termination device according to claim 5, further comprising a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored.
8. The IPsec termination device according to claim 5, wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said IPsec termination device.
9. An IPsec tunnel communication continuation method for use in a communication system in which an IPsec tunnel to a connection source device is terminated at a connection destination device, said method comprising:
notifying by said connection destination device to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of said connection destination device; and
assigning the address of said connection destination device to said virtual line means to make it appear to said external device that the address is assigned to the active line.
10. The IPsec tunnel communication continuation method according to claim 9, wherein said connection destination device switches the active line to another physical line by means of said virtual line means when a line failure occurs in said connection destination device.
11. The IPsec tunnel communication continuation method according to claim 9, wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided in said connection destination device.
12. The IPsec tunnel communication continuation method according to claim 9, wherein a SAD which is provided for common use by said plurality of physical lines and in which IPsec connection information is stored is provided outside said connection destination device.
13. A program which is executed in an IPsec termination device that terminates an IPsec tunnel and which is executable by a computer, said program including the process of:
notifying to an external device that a physical line, which is specified using virtual line means that specifies one of a plurality of physical lines as an active line to be used for communication, is of a pre-assigned address of said connection destination device.
US12/042,752 2007-03-07 2008-03-05 COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM Abandoned US20080222716A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2007056502A JP2008219679A (en) 2007-03-07 2007-03-07 COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATING DEVICE AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED THEREFOR
JP2007-056502 2007-03-07

Publications (1)

Publication Number Publication Date
US20080222716A1 true US20080222716A1 (en) 2008-09-11

Family

ID=39742986

Family Applications (1)

Application Number Title Priority Date Filing Date
US12/042,752 Abandoned US20080222716A1 (en) 2007-03-07 2008-03-05 COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM

Country Status (3)

Country Link
US (1) US20080222716A1 (en)
EP (1) EP2012492A1 (en)
JP (1) JP2008219679A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110228935A1 (en) * 2010-03-17 2011-09-22 Fujitsu Limited Communication apparatus, communication method, and communication system

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5573188B2 (en) * 2010-01-20 2014-08-20 富士通株式会社 Communication system and control method
JP2012070077A (en) * 2010-09-21 2012-04-05 Nec Infrontia Corp Communication system, information processing device, and information processing method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030189898A1 (en) * 2002-04-04 2003-10-09 Frick John Kevin Methods and systems for providing redundant connectivity across a network using a tunneling protocol
US20040010583A1 (en) * 2002-07-10 2004-01-15 Nortel Networks Limited Method and apparatus for defining failover events in a network device
US6915436B1 (en) * 2000-08-02 2005-07-05 International Business Machines Corporation System and method to verify availability of a back-up secure tunnel
US6931529B2 (en) * 2001-01-05 2005-08-16 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US7620041B2 (en) * 2004-04-15 2009-11-17 Alcatel-Lucent Usa Inc. Authentication mechanisms for call control message integrity and origin verification

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007056502A (en) 2005-08-23 2007-03-08 Shin Caterpillar Mitsubishi Ltd Cab reinforcing member, cab, and work machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6915436B1 (en) * 2000-08-02 2005-07-05 International Business Machines Corporation System and method to verify availability of a back-up secure tunnel
US6931529B2 (en) * 2001-01-05 2005-08-16 International Business Machines Corporation Establishing consistent, end-to-end protection for a user datagram
US20030189898A1 (en) * 2002-04-04 2003-10-09 Frick John Kevin Methods and systems for providing redundant connectivity across a network using a tunneling protocol
US20040010583A1 (en) * 2002-07-10 2004-01-15 Nortel Networks Limited Method and apparatus for defining failover events in a network device
US7620041B2 (en) * 2004-04-15 2009-11-17 Alcatel-Lucent Usa Inc. Authentication mechanisms for call control message integrity and origin verification

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110228935A1 (en) * 2010-03-17 2011-09-22 Fujitsu Limited Communication apparatus, communication method, and communication system
US8631234B2 (en) 2010-03-17 2014-01-14 Fujitsu Limited Apparatus and method for establishing encryption information common to a plurality of communication paths coupling two apparatuses

Also Published As

Publication number Publication date
JP2008219679A (en) 2008-09-18
EP2012492A1 (en) 2009-01-07

Similar Documents

Publication Publication Date Title
US8462767B2 (en) Internet protocol compliant private branch electronic exchange and a method for redundantly configuring terminal interfaces
US6594776B1 (en) Mechanism to clear MAC address from Ethernet switch address table to enable network link fail-over across two network segments
JP4974964B2 (en) Intelligent failover in a load-balanced network environment
WO2017219779A1 (en) Device active/standby switchover method and apparatus based on link protocol, and storage medium
JP2010045760A (en) Connection recovery device for redundant system, method and processing program
US7756012B2 (en) Intelligent failover in a load-balanced network environment
CN111585835B (en) Control method and device for out-of-band management system and storage medium
US20080222716A1 (en) COMMUNICATION SYSTEM, IPsec TUNNEL TERMINATION DEVICE, AND IPsec TUNNEL COMMUNICATION CONTINUATION METHOD USED FOR THEM
JP7161008B2 (en) Application redundancy management system and application redundancy management method
CN100362484C (en) Method of multi-computer back-up
US8588107B2 (en) Returning domain identifications without reconfiguration
JP2504366B2 (en) Fault tolerant system
JP2009003491A (en) Server switching method in cluster system
KR20180099143A (en) Apparatus and method for recovering tcp-session
EP1700433A1 (en) Method of automatically transferring router functionality
US9083618B2 (en) Centralized backup system and backup method for an homogeneous real-time system at different locations
CN110752955A (en) Seat invariant fault migration system and method
JP3144346B2 (en) Spare switching system for communication processing equipment
JPH1141246A (en) Duplex system for network connection device
JP2019045957A (en) Transmission/reception system, control method of transmission/reception system, and relay device
JPH09274573A (en) Backup system
US10652203B2 (en) Network system, communication control device and address setting method
CN115701031A (en) Service processing method and related device
CN115086579A (en) Video matrix redundancy backup method and device, terminal equipment and storage medium
CN117857317A (en) Redundant double-network port based on encryption network, configuration method and encryption method

Legal Events

Date Code Title Description
AS Assignment

Owner name: NEC CORPORATION, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOMOI, YASUNORI;REEL/FRAME:020603/0981

Effective date: 20080221

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION